Merge pull request #72 from thelittlefireman/patch-3

Fix #71 - limit connection by IP
2021-03-08 10:15:14 +01:00 · 2021-03-08 10:15:14 +01:00 · 9142afdb54
commit 9142afdb54
parent d5d699252c 1a8b8043c8
7 changed files with 45 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -1085,7 +1085,7 @@ The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 10 requ
 Values : *<any valid integer\>*  
 Default value : *40*  
 Context : *global*, *multisite*  
-The number of of requests to put in queue before rejecting requests.
+The number of requests to put in queue before rejecting requests.
 `LIMIT_REQ_CACHE`  
 Values : *Xm* | *Xk*    
@ -1093,6 +1093,27 @@ Default value : *10m*
 Context : *global*  
 The size of the cache to store information about request limiting.
 ### Connections limiting
 `USE_LIMIT_CONN`  
 Values : *yes* | *no*  
 Default value : *yes*  
 Context : *global*, *multisite*  
 If set to yes, the number of connections made by an ip will be limited during a period of time. (ie. Very small/weak ddos protection)  
 More info connections limiting [here](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html).
 `LIMIT_CONN_MAX`  
 Values : *<any valid integer\>*  
 Default value : *40*  
 Context : *global*, *multisite*  
 The maximum number of connections per ip to put in queue before rejecting requests.
 `LIMIT_CONN_CACHE`  
 Values : *Xm* | *Xk*    
 Default value : *10m*  
 Context : *global*  
 The size of the cache to store information about connection limiting.
 ### Countries
 `BLACKLIST_COUNTRY`  
--- a/confs/global/nginx.conf
+++ b/confs/global/nginx.conf
@ -88,6 +88,9 @@ http {
 	# shared memory zone for limit_req
 	%LIMIT_REQ_ZONE%
 	# shared memory zone for limit_conn
 	%LIMIT_CONN_ZONE%
 	# whitelist or blacklist country
 	%USE_COUNTRY%
--- a/confs/site/limit-conn.conf
+++ b/confs/site/limit-conn.conf
@ -0,0 +1 @@
 limit_conn ddos %LIMIT_CONN_MAX%;
--- a/confs/site/server.conf
+++ b/confs/site/server.conf
@ -15,6 +15,7 @@ server {
 		return 405;
 	}
 	%LIMIT_REQ%
 	%LIMIT_CONN%
 	%AUTH_BASIC%
 	%REMOVE_HEADERS%
 	%X_FRAME_OPTIONS%
--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@ -95,6 +95,9 @@ USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
 LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
 LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
 LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
 USE_LIMIT_CONN="${USE_LIMIT_CONN-yes}"
 LIMIT_CONN_MAX="${LIMIT_CONN_MAX-40}"
 LIMIT_CONN_CACHE="${LIMIT_CONN_CACHE-10m}"
 PROXY_REAL_IP="${PROXY_REAL_IP-no}"
 PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
 PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@ -245,6 +245,13 @@ else
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
 fi
 # connection limiting
 if [ "$(has_value USE_LIMIT_CONN yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "limit_conn_zone \$binary_remote_addr zone=ddos:${LIMIT_CONN_CACHE};"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" ""
 fi
 # DNSBL
 if [ "$(has_value USE_DNSBL yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@ -547,6 +547,14 @@ else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" ""
 fi
 # connection limiting
 if [ "$USE_LIMIT_CONN" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" "include ${NGINX_PREFIX}limit-conn.conf;"
 	replace_in_file "${NGINX_PREFIX}limit-conn.conf" "%LIMIT_CONN_MAX%" "$LIMIT_CONN_MAX"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" ""
 fi
 # fail2ban
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"